CVE-2015-5370: s4:librpc/rpc: finally verify the server uses the expected auth_{type,level,context_id} values

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

2 files changed, 27 insertions, 0 deletions

diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
index 908fed20113..964924901c3 100644
--- a/source4/librpc/rpc/dcerpc.c
+++ b/source4/librpc/rpc/dcerpc.c
@@ -778,6 +778,18 @@ static NTSTATUS ncacn_pull_request_auth(struct dcecli_connection *c, TALLOC_CTX
 
 	pkt->u.response.stub_and_verifier.length -= auth_length;
 
+	if (auth.auth_type != c->security_state.auth_type) {
+		return NT_STATUS_RPC_PROTOCOL_ERROR;
+	}
+
+	if (auth.auth_level != c->security_state.auth_level) {
+		return NT_STATUS_RPC_PROTOCOL_ERROR;
+	}
+
+	if (auth.auth_context_id != c->security_state.auth_context_id) {
+		return NT_STATUS_RPC_PROTOCOL_ERROR;
+	}
+
 	/* check signature or unseal the packet */
 	switch (c->security_state.auth_level) {
 	case DCERPC_AUTH_LEVEL_PRIVACY:
diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c
index 15a843b4ef5..d617b07e07c 100644
--- a/source4/librpc/rpc/dcerpc_auth.c
+++ b/source4/librpc/rpc/dcerpc_auth.c
@@ -142,6 +142,21 @@ static void bind_auth_next_step(struct composite_context *c)
 	state = talloc_get_type(c->private_data, struct bind_auth_state);
 	sec = &state->pipe->conn->security_state;
 
+	if (state->in_auth_info.auth_type != sec->auth_type) {
+		composite_error(c, NT_STATUS_RPC_PROTOCOL_ERROR);
+		return;
+	}
+
+	if (state->in_auth_info.auth_level != sec->auth_level) {
+		composite_error(c, NT_STATUS_RPC_PROTOCOL_ERROR);
+		return;
+	}
+
+	if (state->in_auth_info.auth_context_id != sec->auth_context_id) {
+		composite_error(c, NT_STATUS_RPC_PROTOCOL_ERROR);
+		return;
+	}
+
 	state->out_auth_info = (struct dcerpc_auth) {
 		.auth_type = sec->auth_type,
 		.auth_level = sec->auth_level,